Securely storing passwords and keys?

I'd like to use Puppet to distribute ssh keys for privileged users, and passwords for a number of configuration files that require them (i.e. database credentials, to be put in templated config files). We're currently using Puppet Enterprise 2.5, and open source 2.7 on some test clients. My main requirements are:

this information should be versioned in git

It should be separate from our modules and manifests, so that modules/manifests can be seen by people without access to the secrets (effectively limited to those with root on the puppet master).

For sanity's sake, the structure of the directories in the /data area should reflect your module naming scheme. The default (in Puppet 3.1.0) auth.conf file should work for this scheme but doesn't provide additional protection beyond requiring ...(more)

There also is another interesting hiera plugin called hiera-eyaml. With this one you are not encrypting whole yaml files but just the values, e.g. you can easily see which keys are defined in your eyaml files without beeing able to decrypt the values. Only the puppetmaster is able to decrypt the values with its private key and everyone with the corresponding public key can put new new encrypted values in the eyaml file.